Configure Published API Projects in API Gateway

Configure the published API by updating the context variables in API Gateway to reflect your environment and by specifying the role mappings.


Verify Prerequisites

Ensure that you have completed the following prerequisites:

Configuration Workflow

Complete these steps for every API you publish to API Gateway:
  1. The API Gateway administrator configures the published API.
  2. The API Gateway administrator tests the published API.
  3. (Optional) The API Gateway administrator exposes the published API from Gateway to the API Portal (SaaS or on-premise).
  4. (Optional) The API consumer accesses the published APIs using the API Portal (SaaS or on-premise).

Review and Confirm the Context Variables to Reflect your Environment

  1. In the Policy Manager, expand the LiveAPICreator/LAC Projects folder and open the published API project by double-clicking the project name.
  2. Display comments within the project by clicking Show Comments.
  3. Expand the All assertions must evaluate to true // LAC-00-Project Configuration policy.
  4. Review and confirm the following context variables are set as indicated:

project.forwaded.httpScheme

Expression value: https

project.forwarded.port

Expression value: 8443

project.forwarded.hostname

Expression value: ${gateway.cluster.hostname}

project.name

Expression value: The URL fragment for your published API project.

Example: demo

project.version

Expression value: Your current API version.

Example: v1.

project.endpoint.hostname

Expression value: Your API Server name.

Example: lacserver1.

project.endpoint.port

 Expression value: 8081

project.endpoint.httpScheme

Expression value: https

project.rootPath

Expression value: rest/default

Set up API Access Permissions

Set up API access permissions by mapping groups retrieved from an identity provider which is configured in API Gateway to Live API Creator (LAC) roles. The reference LiveApiCreator service includes reference policy fragments that illustrate how to map API Gateway groups to LAC roles. Customize the reference policy to reflect your system landscape by configuring and enabling the API Gateway-identity provider groups to LAC roles.

Complete one of the following:

  • If you are configuring a simple mapping of API Gateway groups to LAC roles based on API Gateway Internal Identity Provider (IIP), configure a simple internal identity provider.
  • If you are have configured an LDAP identity provider in API Gateway using the Policy Manager, configure the LDAP identity provider.

Configure a Simple Internal Identity Provider

  1. In the Policy Manager, from the LiveApiCreator/LAC Projects folder, open your published API project.
  2. Under the Project Configuration policy fragment, open and modify the following context variables:

    project.roleMappingType

    Set the expression to 'simple'.

    project.simpleRoleMapper.users

    Adjust the value to reflect your user and group configuration.

    Note: As a reference point, the value for this context variable illustrates how the internal admin user is mapped to the internal, hard-coded API Gateway-defined Developer and Documentation groups.

    project.simpleRoleMapper.userRoles

    Adjust the expression value to reflect your API Gateway group to LAC role mapping.

    Note: As a reference point, the value for this context variable illustrates how the Developer group is mapped to the LAC-defined API Owner role. Similarly, the Documentation group is mapped to the LAC-defined API Documentation role. If you do not adjust the expression value for this context variable, then API Gateway uses the expression value of the project.simpleRoleMapping.defaultRole context variable as the LAC-defined API Documentation role.

Configure the LDAP Identity Provider

  1. In Policy Manager, open the Project Configuration policy fragment, set the value of the project.roleMappingType context variable to 'ldap'.
  2. Complete one of the following:
    • If your API project includes roles that do not match the LDAP groups, adjust the value of the project.simpleRoleMapper.userRoles context variable to match the LDAP groups to the LAC role.

Note: The value of the project.simpleRoleMapper.users context variable dynamically populates based on a user's LDAP group membership by way of the (cn=${authenticatedUser.login}) LDAP search filter. This search filter sets the ldapGroups context variable using the LDAP 'memberOf' attribute.

    • If your API project includes roles that match the LDAP groups, your users' LDAP groups are passed through to API Server.  No additional configuration is needed.
    • If you are using an identity provider different from LDAP, such as Microsoft Active Directory (MSAD), adjust the value of the ldapGroups context variable from 'memberOf' to an attribute that returns the users group membership.

Activate the Updated API Project in API Gateway

In Policy Manager, save and activate the project.

Next Steps

Now that you have configured your published API project in API Gateway, you can consume the published API project. For more information, see Consume the Published API Project in API Gateway.